[PATCH] scripts/kallsyms.c: fix potential segfault

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Xiaochen Wang <wangxiaochen0@gmail.com>
To: Jean Sacren <sakiwit@gmail.com>, Michal Marek <mmarek@suse.cz>,
	linux-kernel@vger.kernel.org
Subject: [PATCH] scripts/kallsyms.c: fix potential segfault
Date: Sun, 1 May 2011 11:41:41 +0800	[thread overview]
Message-ID: <20110501034141.GA13473@chii> (raw)

Description:
This bug hardly appears during real kernel compiling,
 because the vmlinux symbols table is huge.

But we can still catch it under strict condition , as follows.
   $ echo "c101b97b T do_fork" | ./scripts/kallsyms --all-symbols
   #include <asm/types.h>
   ......
   ......
   .globl kallsyms_token_table
           ALGN
   kallsyms_token_table:
   Segmentation fault (core dumped)
   $

If symbols table is small, all entries in token_profit[0x10000] may
decrease to 0 after several calls of compress_symbols() in optimize_result().
In that case, find_best_token() always return 0 and
best_table[i] is set to "\0\0" and best_table_len[i] is set to 2.

As a result, expand_symbol(best_table[0]="\0\0", best_table_len[0]=2, buf)
in write_src() will run in infinite recursion until stack overflows,
causing segfault.

This patch checks the find_best_token() return value. If all entries in
token_profit[0x10000] become 0 according to return value, it breaks the loop
in optimize_result().
And expand_symbol() works well when best_table_len[i] is 0.

Signed-off-by: Xiaochen Wang <wangxiaochen0@gmail.com>
---
 scripts/kallsyms.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
index 60dd3eb..487ac6f 100644
--- a/scripts/kallsyms.c
+++ b/scripts/kallsyms.c
@@ -500,6 +500,8 @@ static void optimize_result(void)

 			/* find the token with the breates profit value */
 			best = find_best_token();
+			if (token_profit[best] == 0)
+				break;

 			/* place it in the "best" table */
 			best_table_len[i] = 2;
-- 
1.7.2.3

next             reply	other threads:[~2011-05-01  3:37 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-01  3:41 Xiaochen Wang [this message]
2011-05-03 11:56 ` [PATCH] scripts/kallsyms.c: fix potential segfault Paulo Marques
2011-05-12 15:24 ` Michal Marek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:60dd3eb dfblob:487ac6f )
 OR (
bs:"[PATCH] scripts/kallsyms.c: fix potential segfault" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110501034141.GA13473@chii \
    --to=wangxiaochen0@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mmarek@suse.cz \
    --cc=sakiwit@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.